Schrems I, Schrems II & the Fragile EU-US Data Deal

The story begins with Maximilian Schrems, an Austrian law student who in 2013 filed a complaint with the Irish Data Protection Commissioner challenging Facebook Ireland's transfers of personal data to Facebook Inc. in the United States. The complaint was filed in the wake of Edward Snowden's revelations about the NSA's PRISM programme, which demonstrated that US intelligence agencies had direct access to data held by major American technology companies — the same companies certified under the EU-US Safe Harbor framework.

The Irish DPC initially rejected Schrems' complaint, arguing that the European Commission's Safe Harbor adequacy decision (Decision 2000/520/EC) was binding. Schrems challenged this before the Irish High Court, which referred the matter to the CJEU. On 6 October 2015, the CJEU delivered its judgment in Case C-362/14 (Schrems I), declaring the Safe Harbor decision invalid. The Court held that the Commission had not adequately assessed whether US law ensured a level of protection "essentially equivalent" to that guaranteed within the EU, and that Safe Harbor's self-certification mechanism lacked both independent oversight and effective legal remedies for EU data subjects.

The ruling was seismic. Approximately 4,500 companies had relied on Safe Harbor as their legal basis for transatlantic data transfers. The immediate fallout forced organisations to scramble toward Standard Contractual Clauses (SCCs) and Binding Corporate Rules as alternatives — mechanisms that the Court did not invalidate but pointedly noted required case-by-case assessment of the recipient country's legal framework.

The European Commission and the US Department of Commerce negotiated a replacement framework at speed. The EU-US Privacy Shield (Decision (EU) 2016/1250) was adopted on 12 July 2016, incorporating new commitments from the US government including written assurances from the Office of the Director of National Intelligence that mass surveillance would be subject to limitations and an Ombudsperson mechanism for EU citizens' complaints.

Privacy advocates were sceptical from day one. Max Schrems and his organisation NOYB (None Of Your Business) filed fresh complaints against Facebook Ireland on the day the Privacy Shield took effect, arguing that the underlying US surveillance law — particularly Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 — had not materially changed. The case wound through the Irish courts and was again referred to the CJEU.

On 16 July 2020, the CJEU handed down its judgment in Case C-311/18 (Schrems II), invalidating the Privacy Shield. The Court's reasoning was devastating for the US position: FISA Section 702 did not limit surveillance to what is "strictly necessary" as required by EU law; Executive Order 12333 operated with essentially no constraints on non-US persons; and the Ombudsperson mechanism lacked independence and binding decision-making power. The Court held that these deficiencies meant US law failed to provide protection "essentially equivalent" to that guaranteed by the EU Charter of Fundamental Rights (Articles 7, 8, and 47).

Critically, the Court also upheld the validity of SCCs as a transfer mechanism in principle, but placed the burden on data exporters to verify — on a case-by-case basis — that the laws of the recipient country do not undermine the protections in the clauses. This created an impossible compliance burden for transfers to the US, since FISA 702 applies broadly to data held by US electronic communication service providers regardless of contractual commitments.

In October 2022, President Biden signed Executive Order 14086, "Enhancing Safeguards for United States Signals Intelligence Activities." The EO introduced a proportionality requirement for signals intelligence collection and established a two-tier redress mechanism: complaints are first reviewed by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence, then by a newly created Data Protection Review Court (DPRC) with authority to issue binding decisions. On this basis, the European Commission adopted the EU-US Data Privacy Framework adequacy decision (Implementing Decision (EU) 2023/1795) on 10 July 2023.

The DPF addresses some of the CJEU's concerns from Schrems II, but its structural foundations remain contested. The core problem is architectural: the safeguards rest on an executive order, not legislation. Any sitting US president can amend or revoke EO 14086 without Congressional approval. The DPRC is established by executive authority, not statute; its judges are appointed by the Attorney General; and its proceedings are not public. Critics also note that FISA Section 702 was reauthorised in April 2024 not only without the reforms privacy advocates sought, but with an expansion of the definition of "electronic communication service provider" that could compel more entities to assist with surveillance.

The European Data Protection Board's Opinion 5/2023 on the draft adequacy decision acknowledged improvements but flagged concerns about bulk collection, the temporary nature of executive-order safeguards, and the absence of prior judicial authorisation for surveillance under FISA 702. The European Parliament went further, adopting a resolution on 11 May 2023 stating that the DPF "fails to create actual equivalence in the level of protection" and calling on the Commission not to adopt it.

NOYB filed what has been widely termed the "Schrems III" challenge in early 2024, targeting the DPF adequacy decision before the CJEU. The organisation's argument is straightforward: the fundamental problems identified in Schrems I and Schrems II — the scope of FISA 702 collection, the absence of meaningful judicial oversight for non-US persons, and the lack of legislative (as opposed to executive) safeguards — have not been resolved by Executive Order 14086. The DPRC, NOYB argues, does not satisfy Article 47 of the EU Charter because its proceedings are secret, complainants never learn whether their data was actually accessed, and the court's decisions are classified.

The political dimension compounds the legal risk. The safeguards underpinning the DPF are products of executive action by the Biden administration. A future administration could weaken or revoke them entirely. This is not speculative — during the first Trump administration, executive orders on immigration and surveillance were issued and revoked with minimal procedural constraint. Any organisation building its compliance architecture around the DPF must account for the possibility that the legal basis could evaporate on short notice, either through a CJEU ruling (which could come as early as 2025 or 2026) or through US executive action.

For European organisations making infrastructure decisions, the Schrems saga carries a clear lesson: legal mechanisms for transatlantic data transfer are inherently unstable as long as US surveillance law remains unreformed by Congress. Technical measures — such as end-to-end encryption where the US provider cannot access plaintext, or keeping personal data processing within EU jurisdiction entirely — offer a more durable foundation than any adequacy decision. The organisations that will be least disrupted by a potential Schrems III ruling are those that have already minimised their dependence on the legal transfer framework.